Login Sign Up

CVE-2026-22712

4.3 MEDIUM
Cross-Site Scripting

📋 TL;DR

This CVE describes an improper output encoding vulnerability in MediaWiki's ApprovedRevs extension where magic word replacement in ParserAfterTidy allows input data manipulation. Attackers can potentially inject malicious content that gets improperly rendered. This affects MediaWiki installations using the ApprovedRevs extension versions 1.39 through 1.45.

💻 Affected Systems

Products:
  • MediaWiki - ApprovedRevs Extension
Versions: 1.39, 1.43, 1.44, 1.45
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects MediaWiki installations with the ApprovedRevs extension enabled and configured.

📦 What is this software?

Approved Revs by Wikiworks

View all CVEs affecting Approved Revs →

Approved Revs by Wikiworks

View all CVEs affecting Approved Revs →

Approved Revs by Wikiworks

View all CVEs affecting Approved Revs →

Approved Revs by Wikiworks

View all CVEs affecting Approved Revs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could inject malicious scripts or content that gets executed when viewed by other users, potentially leading to cross-site scripting (XSS) attacks, session hijacking, or content defacement.

🟠

Likely Case

Limited content manipulation or injection of benign formatting issues due to the specific nature of magic word replacement in the ApprovedRevs context.

🟢

If Mitigated

If proper input validation and output encoding are implemented, the vulnerability would be neutralized with no impact.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires understanding of MediaWiki's magic word system and ApprovedRevs functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check latest ApprovedRevs extension version from Wikimedia

Vendor Advisory: https://phabricator.wikimedia.org/T412068

Restart Required: No

Instructions:

1. Update the ApprovedRevs extension to the latest version. 2. Apply the patch from the Wikimedia Gerrit repository. 3. Clear MediaWiki caches if necessary.

🔧 Temporary Workarounds

Disable ApprovedRevs Extension

all

Temporarily disable the vulnerable extension until patched

Edit LocalSettings.php and comment out or remove the wfLoadExtension('ApprovedRevs'); line

🧯 If You Can't Patch

  • Implement strict input validation for all user-supplied content in MediaWiki
  • Enable Content Security Policy (CSP) headers to mitigate potential XSS impact

🔍 How to Verify

Check if Vulnerable:

Check ApprovedRevs extension version in MediaWiki's Special:Version page or extension directory

Check Version:

Check MediaWiki's Special:Version page or examine the ApprovedRevs extension's version file

Verify Fix Applied:

Verify the ApprovedRevs extension has been updated to a version beyond the affected range

📡 Detection & Monitoring

Log Indicators:

  • Unusual magic word replacement patterns in MediaWiki logs
  • Unexpected content modifications in revision history

Network Indicators:

  • Unusual POST requests to revision approval endpoints

SIEM Query:

Search for patterns of magic word manipulation in web application logs

📊 Metadata

CVE ID: CVE-2026-22712
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-116
EPSS Score: 0.01% exploit probability (0.9th percentile)
Published: January 9, 2026
Last Updated: February 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22712, you might also want to check these:

CVE-2025-55729 10.0

CVE-2025-55729 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-116)
CVE-2022-23603 9.9

CVE-2022-23603 is a code injection vulnerability in iTunesRPC-Remastered, a Discord rich presence ap...

Same vulnerability type (CWE-116)
CVE-2024-38474 9.8

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to...

Same vulnerability type (CWE-116)